Minecraft creator Mojang has quietly started offering a ‘standalone’ version of Java with its loader as part of a new approach that should limit the effects of the software’s infamous insecurity on tens of millions of desktop gamers.
Until now, running Minecraft has meant having Java installed at a system level, which given its historically flaw-ridden stats presents a security risk for a computer even when Minecraft is not being used.
Given that an unknown number of users only install Java to play the famous game, integrating that into the launcher keeps this exposure to a minimum and in theory overcomes the issue of users who don’t bother to update Java to stay ahead of software flaws.
The company appears to have been testing this feature in recent months without making much fuss but has now included the technology for the Windows PC Edition of Minecraft (OS X support is promised by year end) for new downloads of the launcher.
As we understand it, users running the current version will need to update their software and then make an adjustment in the Minecraft Profile to point at the new javaw.exe executable.
Full instructions on how to do this have helpfully been posted on the How-To Geek website.
According to HTG, not only would users inadvertently running 32-bit see a significant increase in performance, even an up-to-date 64-bit Java installation might see a boost in FPS. The former is likely although the latter is hard to understand. Essentially, it’s the same Java but just called by the application rather than through Windows.
“A really, really big percentage of our players use 32-bit java on 64-bit machines, and they don't even know. 64-bit java runs significantly better in a lot of scenarios for Minecraft, so it's just a waste that they do this,” said an unnamed Minecraft developer on Reddit some weeks ago.
Exactly how long the new Java-free install has been available is not clear but it appears to data back to the middle of January. The Minecraft website has a single line noting that Windows users no longer needed to install Java to run the software.
A few points. De-installing Java in favour of Minecraft’s install won’t suit anyone who needs Java for something other than Minecraft. Users should also check that the version in use by the game is kept up-to-date because in theory there could be some delay between Oracle issuing patched versions and Mojang making them available.
Numerous analyses have identified Java as the top source of both unpatched known flaws and serious zero-days and yet the world keeps turning and little seems to change. Some users have de-installed Java completely but of course that stops super-game Minecraft from working. Many just ignore the issue, even running completely out-of-date versions.
For background, Danish security firm noticed a staggering 145 software flaws affecting Java in the third quarter of 2014 alone. In total, 77.65 percent of users running Personal Software Inspector (PSI) were running Java with around half running unpatched versions covering all versions including end of life.
Despite its vulnerability and continuing popularity with attackers, Java has added some security features over the years, including December 2012’s Java Version 7 Update 10 which made it possible to disable Java browser plug-ins.
Wolfgang Kandek, CTO of security firm Qualys, suggested that the security benefits were welcome.
"Including Java inside its own installation is a good move by the Minecraft team. It enables Minecraft to have the best version of Java available for its type of processing, giving better performance. On top of that they can turnoff specific unnecessary items such as the browser integration part that are a huge win from a security perspective." he said.
"My backup program CrashPlan uses the same mechanism and it has been instrumental in making my Java installations on my desktop simpler - I don't have Java on the desktop anymore. I wish other programs such as Symantec AV for Mac went the same route."
"It reduces the Java threat to zero."
Mojang is now part of Microsoft's stable having been bought by the firm last September for $2.5 billion.